Release notes for the Splunk Common Information Model Add-on
Version 4.14.0 of the Splunk Common Information Model Add-on was released on 10/18/2019.
New features
Version 4.14.x of the Splunk Common Information Model Add-on includes the following new features.
| Enhancement | Description |
|---|---|
| New Event Signatures datamodel | This uses a new tag track_event_signatures that can be applied at the sourcetype level:
{{[sourcetype=WinEventLog:Security]
track_event_signatures = enabled}}
See Event Signatures. |
| Search results to help prioritize fields to map when normalizing | See Make your fields CIM-compliant. |
| Framework enhancement for adaptive response actions | Now supports digest_mode behavior for actions that require per-result-alerting, such as email.
|
| Intrusion Detection data model updates | Fields added for file_hash, file_name, and file_path. The allowed and blocked prescribed values are added to the action field. See Intrusion Detection.
|
| CIM Filters update | The cim_filter_known_scanners macro is updated to use NOT instead of !=. See Use the CIM Filters macros to exclude data.
|
| Python 2 and Python 3 support included | CIM 4.14.x is Python 2 and 3 compliant and is fully compatible with all versions of Splunk Enterprise 7.0 and above, plus future versions of Splunk Enterprise that ship with the Python 3 interpreter. See Upcoming changes to Splunk Enterprise. |
Upgrade requirements
| Splunk platform version | Upgrade activity |
|---|---|
| 7.0.x or later | If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field. |
Compatibility
Version 4.14.x of the Splunk Common Information Model Add-on requires Splunk platform version 7.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_whitelist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.
Fixed issues
This version of the Splunk Common Information Model Add-on fixes the following issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-09-17 | CIM-869 | Adhoc Modular Actions: Splunk users with spaces in their name unable to dispatch adhoc actions |
| 2019-05-06 | CIM-813 | Fields with leading uppercase do not MV properly |
Known issues
This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.
Deprecated features
As of version 4.14.0:
- The Predictive Analytics dashboard has been deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.
As of version 4.13.0:
- N/A
As of version 4.12.0:
- The modaction_invocations_rest_handler.py (alerts/modaction_invocations) has been deprecated and will be removed in a future version.
- The following previously deprecated configurations have been removed.
`search_activity`macro`search_typer`macro
- Deprecated data models: Application State and Change Analysis
As of version 4.11.0:
- The index definition
cim_summaryhas been removed. - Several configurations are deprecated and will be removed in a future release.
datamodel_for_audittrailtransformsavedsearch_name_for_audittrailtransformuser_for_audittrailtransform
Third-party software attributions
The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.
| Set up the Splunk Common Information Model Add-on | Support and resource links for the Splunk Common Information Model Add-on |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.14.0
Download manual
Feedback submitted, thanks!